Re: How to uncheck Password cannot change Flag in ActiveDirectory

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 3 Jul 2007 11:09:13 -0500

---

Srihari wrote:

I am working with Active Directory in C#. I want to reset the password
and set the User must change the password at next logon. I did it.
It working fine.

But "Password Cannot change" is set when user is created,
User must change the password at next logon is not working.

So i want to uncheck the flag ""Password Cannot change". How to do it?

Plaese tell me if anybody knows

I don't code in C#, but you need to modify the appropriate bit of the
userAccountControl attribute. You XOR the current value with the bit mask
ADS_UF_PASSWD_CANT_CHANGE to toggle the bit off. In VBScript:
===========
' Bit mask for "Password cannot change"
Const ADS_UF_PASSWD_CANT_CHANGE = &H40

' Bind to user object.
Set objUser = GetObject("LDAP://cn=Jim Smith,ou=Sales,dc=MyDomain,dc=com")

' Retrieve value of userAccountControl attribute.
lngFlag = objUser.userAccountControl

' Check if "Password cannot change" bit is set.
If (lngFlag AND ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
' Toggle the bit to turn it off.
lngFlag = lngFlag XOR ADS_UF_PASSWD_CANT_CHANGE
' Save changes.
objUser.SetInfo
End If
============
You AND the value of userAccountControl with the bit mask to test if it is
set. Any non-zero result means the bit is set. Zero means the bit is not
set. You OR the value of userAccountControl with the bit mask to set the
bit. You XOR userAccountControl with the bit mask to toggle the bit, which
is the only way to turn it off.

Note, there is also a bit of userAccountControl for "Don't expire password".
The bit mask is &H10000. Also, you can remove permissions for the user to
change their password. The code to restore these permissions is more
complex.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

---

• Follow-Ups:
  • Re: How to uncheck Password cannot change Flag in ActiveDirectory
    • From: srihari . kilari

• References:
  • How to uncheck Password cannot change Flag in ActiveDirectory
    • From: srihari . kilari

• Prev by Date: Re: federated services
• Next by Date: Re: How can i give rigths to my users like Local Power User?
• Previous by thread: How to uncheck Password cannot change Flag in ActiveDirectory
• Next by thread: Re: How to uncheck Password cannot change Flag in ActiveDirectory
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: UserAccountControl, enable account and converted native DS type ... Script Center right? ... You should not assign values this way to userAccountControl. ... disable the account. ... the bit mask for ADS_UF_ACCOUNTDISABLE has a value of 2. ... (microsoft.public.scripting.vbscript) [SLE] Basic SAMBA Configuration ... I have 2 computers I am trying to network. ... directory mask = 0700 ... (SuSE) Re: samba.conf ... domain master = Yes ... comment = All Printers ... create mask = 0600 ... comment = Network Logon Service ... (alt.os.linux.suse) Re: samba.conf ... domain master = Yes ... comment = All Printers ... create mask = 0600 ... comment = Network Logon Service ... (alt.os.linux.suse) Re: samba.conf ... domain master = Yes ... comment = All Printers ... create mask = 0600 ... comment = Network Logon Service ... (alt.os.linux.suse)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)